Enable runtime sysctl hardening in order to avoid kernel
addresses being disclosed via dmesg (in case it was built
in without restrictions) or various /proc files.
See https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
for further information.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
name = setup
version = 3.0
-release = 10
+release = 11
arch = noarch
groups = Base Build System/Base
%{BUILDROOT}%{sysconfdir}/sysctl.d/printk.conf
install -m 644 %{DIR_APP}/sysctl/swappiness.conf \
%{BUILDROOT}%{sysconfdir}/sysctl.d/swappiness.conf
+ install -m 644 %{DIR_APP}/sysctl/kernel-hardening.conf \
+ %{BUILDROOT}%{sysconfdir}/sysctl.d/kernel-hardening.conf
end
end
--- /dev/null
+# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
+kernel.kptr_restrict = 1
+
+# Avoid kernel memory address exposures via dmesg.
+kernel.dmesg_restrict = 1
+